MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0a1e9b62191e07ea98956e62287d3a9fadc0b6dbd7d6e60a755d2396b35fad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neshta


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0a1e9b62191e07ea98956e62287d3a9fadc0b6dbd7d6e60a755d2396b35fad6
SHA3-384 hash: 8af6a59a65b3ae2971447e5ab164a7fbe9f800bbe6ec549447352fe71abb70e71a691e4373d9b449c7a554e553e5e978
SHA1 hash: 56b739a55c2e51b78eda3582dbb5abbcc5d787b4
MD5 hash: cf3481040d52591b5a01f0b270b1db87
humanhash: kentucky-freddie-missouri-johnny
File name:cf3481040d52591b5a01f0b270b1db87.exe
Download: download sample
Signature Neshta
Create hunting rule
File size:482'304 bytes
First seen:2021-09-26 14:48:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k98m/fkLNac4hxSuceQ9cj0/hPhQm5TViEPReg4u5FZwkXZtNdRE1EcyDopHSdB7:FkrHQ9O0hPS6J4u5vwkTNj0E7cSdBgXy
Threatray 9'895 similar samples on MalwareBazaar
TLSH T145A4AE11BF94D570EC9205BE7404E7AA05293D36592BCB5B77C32B8F68303EAA616F13
Reporter abuse_ch
Tags:exe Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf3481040d52591b5a01f0b270b1db87.exe
Verdict:
Malicious activity
Analysis date:
2021-09-26 14:49:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3bd7961-6ef1-468f-94ee-37bf7b7db1c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191781/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Dropper.LokiBot-9893731-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows directory
Modifying an executable file
Creating a file
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd9e1ad2-ecc7-4f39-9a8c-6779068efd5f
Result
Threat name:
FormBook Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858434
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490865 Sample: Yy788lmJnh.exe Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 37 www.starlangue.com 2->37 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 12 other signatures 2->59 10 Yy788lmJnh.exe 4 2->10         started        signatures3 process4 file5 29 C:\Windows\svchost.com, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->31 dropped 33 C:\Users\user\AppData\...\Yy788lmJnh.exe, PE32 10->33 dropped 35 108 other malicious files 10->35 dropped 69 Creates an undocumented autostart registry key 10->69 71 Drops PE files with a suspicious file extension 10->71 73 Drops executable to a common third party application directory 10->73 75 Infects executable files (exe, dll, sys, html) 10->75 14 Yy788lmJnh.exe 1 10->14         started        signatures6 process7 signatures8 77 Maps a DLL or memory area into another process 14->77 79 Tries to detect virtualization through RDTSC time measurements 14->79 17 Yy788lmJnh.exe 14->17         started        20 conhost.exe 14->20         started        process9 signatures10 45 Modifies the context of a thread in another process (thread injection) 17->45 47 Maps a DLL or memory area into another process 17->47 49 Sample uses process hollowing technique 17->49 51 Queues an APC in another process (thread injection) 17->51 22 explorer.exe 17->22 injected process11 dnsIp12 39 www.dollyvee.com 91.195.240.117, 49810, 80 SEDO-ASDE Germany 22->39 41 xn--naqejahan-n3b.com 34.98.99.30, 49819, 80 GOOGLEUS United States 22->41 43 8 other IPs or domains 22->43 61 System process connects to network (likely due to code injection or exploit) 22->61 26 svchost.exe 22->26         started        signatures13 process14 signatures15 63 Modifies the context of a thread in another process (thread injection) 26->63 65 Maps a DLL or memory area into another process 26->65 67 Tries to detect virtualization through RDTSC time measurements 26->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0a1e9b62191e07ea98956e62287d3a9fadc0b6dbd7d6e60a755d2396b35fad6/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 14:49:05 UTC
AV detection:
43 of 45 (95.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucq6tnrbshqh5kmjk3tcfb6tvh5nyc3nxv6w4yfhkxjds2zv7lla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566
Neshta
1a0e2480076fc22a18ad51c79af447258a2615da953058a46b938d84ca6603a4
Neshta
385f5ca91b0a230a14f5d32c79d061a3af0f5533923ad62e1982d1327ed086a4
Neshta
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
Neshta
515f1994cd7f6a4e2a5e642f6905d9897e22abceaaaf235a2bb3ed7835818874
Neshta
9c8f32833d3c63f139b6ac0c3c7cbfcfbdd0f6a67c78b35bfe44bd8476d6e8b8
Neshta
a2c6a9d6809c3cf2ea1108aae86677aaba31ef7e2f10017331716bedd2a8f91c
Neshta
a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26
Neshta
b56e7b2be2bb194db6e8e7c95e9477c49863e0eb8d2818f266f69e8e1a09647b
Neshta
+ 9'885 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:xloader campaign:b6a4 loader persistence rat spyware stealer
Link:
https://tria.ge/reports/210926-r61ksaehcq/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Modifies system executable filetype association
Neshta
Xloader
Malware Config
C2 Extraction:
http://www.helpmovingandstorage.com/b6a4/
Unpacked files
SH256 hash:
a0a1e9b62191e07ea98956e62287d3a9fadc0b6dbd7d6e60a755d2396b35fad6
MD5 hash:
cf3481040d52591b5a01f0b270b1db87
SHA1 hash:
56b739a55c2e51b78eda3582dbb5abbcc5d787b4
Link:
https://www.unpac.me/results/1106b838-26f5-45e1-a704-5525768f52d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/a0a1e9b62191e07ea98956e62287d3a9fadc0b6dbd7d6e60a755d2396b35fad6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Neshta

Executable exe a0a1e9b62191e07ea98956e62287d3a9fadc0b6dbd7d6e60a755d2396b35fad6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1628618/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1628584/
Cape
Cape
https://www.capesandbox.com/analysis/191781/

Comments